Help Center/ Virtual Private Network/ Troubleshooting/ Classic VPN/ Common Check Items
Updated on 2024-07-22 GMT+08:00
View PDF
Share

Common Check Items

VPN connections or ping operations fail when configurations (such as the negotiation policy, firewall, route table, interzone policy, NAT configuration, and security group) are incorrect.

Check the following configurations.

Checking the Negotiation Information on Both Sides of a VPN Connection

  • Ensure that the PSKs of the two sides are the same.
  • Ensure the IKE policies and the IPsec policies of the two sides are the same.
  • Local and remote subnets are matched pairs.

Checking the Firewall Configuration on Your Local Network and the Security Group Configuration on the Cloud

  • Ensure that data packets from your network to the VPC subnet on Huawei Cloud are permitted.
  • Ensure that data packets from the VPC subnet on Huawei Cloud to your network are permitted.

Checking the Firewall Route Table

Verify that there is a route to the VPC subnet on Huawei Cloud.

  • Ensure that a route table contains a route to the target network on Huawei Cloud.
  • Ensure that the forwarding table of the route works properly.

    Incorrect route configurations:

    1. The destination CIDR block is different from the VPC CIDR block. In this case, traffic destined for Huawei Cloud cannot be routed to the public network interface configured with the IPsec policy.
    2. The outbound interface rather than the next hop is specified when configuring a static route.

      On an Ethernet network, the outbound interface cannot learn the ARP entries from the remote side, leading to route forwarding failure.

    3. The VPN gateway address on Huawei Cloud is specified as the next hop of the route.

      Some third-party devices do not support automatic route recursion. VPN traffic is sent from the public network interface. Therefore, the next hop must be the gateway address provided by the carrier.

Checking the Firewall Inter-zone Policy

  • From the Trust zone to the Untrust zone: Allows access from your local network to the VPC subnet on the cloud.
  • From the Untrust zone to the Trust zone: Allows access from the VPC on the cloud to your local network.

Checking the NAT Configurations on the Firewall

Check whether the local VPN gateway is behind the NAT device (usually the border firewall). That is, the outbound interface of the VPN gateway uses a private IP address, and then it is translated into a public IP address by the NAT device.

This scenario is also called IPsec NAT traversal.

Parent topic: Classic VPN